fix: use a LocalObjectReference for credentials Secret (#37)

Using a cross-namespace objectRef in the cluster API can lead to privilege escalation. A user with RBAC to read Secrets in one namespace can create a cluster, and copy any Secret from any other namespace to their workload cluster.
d2iq-labs · Apr 9, 2024 · cb8fadb · cb8fadb
1 parent e78e6f9
commit cb8fadb
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 7 deletions.
diff --git a/api/v1alpha1/addon_types.go b/api/v1alpha1/addon_types.go
@@ -164,7 +164,7 @@ type CSIProvider struct {
 	Strategy AddonStrategy `json:"strategy"`
 
 	// +optional
-	Credentials *corev1.SecretReference `json:"credentials,omitempty"`
+	Credentials *corev1.LocalObjectReference `json:"credentials,omitempty"`
 }
 
 type StorageClassConfig struct {
@@ -257,9 +257,6 @@ func (CSIProvider) VariableSchema() clusterv1.VariableSchema {
 						"name": {
 							Type: "string",
 						},
-						"namespace": {
-							Type: "string",
-						},
 					},
 				},
 				"storageClassConfig": {

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go b/pkg/handlers/generic/lifecycle/csi/nutanix-csi/handler.go
@@ -87,8 +87,8 @@ func (n *NutanixCSI) Apply(
 				Kind:       "Secret",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Namespace: provider.Credentials.Name,
-				Name:      provider.Credentials.Namespace,
+				Name:      provider.Credentials.Name,
+				Namespace: req.Cluster.Namespace,
 			},
 		}
 		err := n.client.Get(